Method for modifying code sequences and related device

ABSTRACT

The present invention relates to a process and a device for modifying code sequences written into a first memory ( 2 ) of a medium. A central processing unit ( 1 ) executes code sequences and the first memory contains a main program comprising at least one code sequence executable by the central processing unit ( 1 ). The first memory also comprises a second, programmable nonvolatile memory ( 3 ), and a third working memory ( 4 ). A branch table TAB_DER contained in the second programmable memory contains at least one field containing reference data for a new code sequence stored in one of the memories. Branching instructions allow a deferred branch from the executed code sequence to the new code sequence written into one of the three memories. Instructions in the new code sequence allow the return to a point of the code sequence executed before the branch.

CROSS REFERENCE TO RELATED APPLICATION

The subject matter of this application is related to the subject matterof application Ser. No. 08/981,607 which is incorporated herein byreference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a process for modifying code sequencesand the associated device.

2. Description of Related Art

The present invention relates to computer programs, particularly thoseintended to be recorded on a medium in such a way that they cannot bemodified, at least not easily. These media are integrated into a dataprocessing system comprising, among other things, a central processingunit, a working memory, a nonvolatile memory and input/output means.More specifically, this data processing system can be incorporated intoa chip card. In this case, the card contains a circuit comprising atleast one microprocessor, a read-only memory containing a program andpossibly data, a working memory and a programmable nonvolatile memory.Advantageously, the circuit is designed in monolithic form. Thenonvolatile memory can store data and/or code; thus, the microprocessorcan execute this code just in the same way as the code stored inread-only memory. Hence, there are two types of memory in one card; thecontent of the first memory is written when the circuit is manufacturedand cannot be modified. The content of the second is initially blank,the values being written during the normal utilization of the object.

These days, chip cards can technically meet many needs. The programincorporated into the card, also called the “operating system,” makes itpossible to adapt the functions of the card to its end use. Currently,the operating system is stored in a ROM that is etched during theproduction of the integrated circuit. The modification of the program inorder to meet new requirements is a long operation that poses a hugeproblem when the client is pressed for time. Moreover, this operation isvery costly; this discourages many “small” clients who wish to buyseveral thousand cards, and often they settle for a card that onlypartially meets their expectations. One solution is comprised of usingan existing mask and adding the functions requested by the client intothe programmable memory or of modifying the functions existing in ROM.

The capability to input and execute additional code in programmablememory offers the advantage of being easily able to add new functions toan old program or to adapt old functions to specific needs.

Application Ser. No. 08/981,607 filed Dec. 27, 1998, for “Method AndDevice Enabling A Fixed Program To Be Developed”, which is assigned tothe assignee of the present invention describes a specific mechanism forbranching a program during the execution of certain instructions. Thepreceding invention is comprised of establishing polling points andorientation points at certain locations in the ROM, using respectiveinstructions. a polling point is indicated by a number and makes itpossible to access a routine in the programmable memory if there is anexisting code sequence corresponding to the address indicated by thisnumber. If there is, a flag is set and the branch address is stored inRAM. An orientation point is active if a polling point has previouslybeen executed. If it has, the branch is triggered by having in thenormal program execute a jump to the programmed address. The codesequence to be executed can be in programmable memory or read-onlymemory.

However, this embodiment entails several problems if there are a numberof modifications in the execution of the program that must be able to behandled. In this case, it is necessary to implement a large number oforientation points in the read-only memory. In the extreme, if highadaptability is desired, the program contains more code for executingbranches than there is code constituting the main program. Themultiplicity of these points is a major drawback if the size of theread-only memory is limited. Moreover, the execution time increases inproportion to the number of points. If the number of branch points islimited to adapt to constraints, the embodiment loses flexibility, sinceit does not make it possible to branch a program during the execution ofany instruction whatsoever.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a device that makes itpossible to correct certain abnormalities in the execution of a fixedprogram, and thus makes it possible to correctly run, or easily addfunctionalities to, an existing program, while optimizing the codesequence to be written.

This object is achieved by the fact that the device for modifying codesequences written into a memory of a medium comprising a centralprocessing unit capable of executing these code sequences, said memorycontaining a main program executable by the central processing unit,which also comprises a second programmable nonvolatile memory, possiblycontaining new executable code sequences, and a third working memory, ischaracterized in that a branch table TAB-DER contained in the secondprogrammable memory contains at least one field containing referencedata for a new code sequence, branching means allowing a deferred branchfrom the executed code sequence to the new code sequence written intoone of the three memories and means in the new code sequence allowingthe return to a point of the code sequence executed before the branch.

Another object of the present invention is to interrupt the normalrunning of a program prior to the execution of any instruction, evenwith a limited number of orientation points.

This object is achieved by the fact that the branching means compriseactivatable orientation instructions (IORi) previously stored in thememory containing the code of the main program, each orientationinstruction being associated with a reference i of the branch tableTAB-DER written into programmable memory.

According to another characteristic, each orientation instruction (IORi)activated triggers the execution of a new code sequence comprising:

means for reading in the table TAB-DER of the programmable memory a timedelay ΔTi corresponding to the reference of the orientation instruction,this time delay making it possible to defer the triggering of aninterrupt that executes a jump to a new code sequence whose address(Adri) is indicated in the table, in association with the time delay,

means for storing the address (Adri) in a memory of the device, and

means for starting a timer of the device, for counting down the timerequired for the time delay of the jump.

Another object of the present invention is to make it possible to maskcertain so-called sensitive operations performed by the centralprocessing unit.

This object is achieved by the fact that the device for modifying codesequences comprises a second table TAB-SEC stored in the memory of thedevice and associating with each branch point (i) a time interval[ΔTmini; ΔTmaxi] associated with the time delay ΔTi prior to theexecution of a new code sequence, and means for verifying that the timedelay is authorized by the associated time interval supplied by thistable.

According to another characteristic, the device for modifying codesequences comprises means that allow the time delay ΔTi to be shifted bythe value of the time interval [ΔTmini; ΔTmaxi].

According o another characteristic, the device for modifying codesequences comprises means for triggering an error message when the timedelay ΔTi is within the time interval.

According to another characteristic, the device for modifying codesequences comprises, following the end of the time delay (ΔTi) when thetimer reaches the null value, means for triggering an interrupt, meansfor storing the current value of a program counter register PC in astack, then means for branching the program to the address defined inthe part of the ROM containing interrupt vectors, which supply the startaddress of the code sequence of the interrupt, means for verifying thatthe value Val_PC of the program counter register PC stored in the stackis not an address value of a sensitive sequence contained in a tableTAB_SEC, and means for modifying the execution of the operations.

According to another characteristic, either the verification means sensethat the value of the program counter register is contained by TAB_SECin the interval [Adrdeb_i, Adrfin_1] corresponding to an interruption ofthe program during a sensitive sequence, and the means for modifying theexecution of the operations of the card return a message indicating thatits security has been breached and are inhibited, or the verificationmeans sense that the value Val_PC of the program counter register iscontained in the interval ]Adrfin_i, Adrdeb_i+1 corresponding to aninterruption of the program during a nonsensitive sequence, and themeans for modifying the execution of the operations then authorize theprogram to execute the new code sequence whose start address was storedduring the execution of the orientation instruction (IORi).

According to another characteristic, the device for modifying codesequences comprises a frequency source for the timer that is differentfrom the frequency source that allows the central processing unit to runthe program, the value of the time delay (ΔTi) programmed into thebranch table TAB_DER being calculated so as to allow the program to beinterrupted at a given address, and the TAB-DER comprises, for eachvalue of the time delay, an additional element containing this givenaddress and means for comparing the address of the instructioninterrupted by the interrupt to the one indicated in the table, and fortriggering an alarm.

According to another characteristic, the device for modifying codesequences comprises alarm triggering means for inhibiting the medium andfor indicating an attempted fraud through a write operation in thememory.

According to another characteristic, each new code sequence ends with anorientation instruction for reloading the timer with a new value of thetime delay (ΔTi).

A final object is a process for modifying fixed code sequences writteninto a medium comprising a central processing unit and a memory.

This object is achieved by the fact that the process for modifying fixedcode sequences written into a medium comprising a central processingunit and a memory is comprised of providing, in at least one fixed codesequence, at least one orientation instruction (IORi) making itpossible, through an interrupt deferred by a time delay, to branch theexecution of the program contained in the memory to a given address,using a branch table TAB_DER, as a function of a reference i associatedwith the orientation instruction and within a time delay determined bythe content of a line of the table corresponding to the reference i ofthe orientation instruction, a new code sequence executable during theinterrupt generated at the end of the time delay being stored at theaddress contained in the table (TAB_DER).

According to another characteristic, a step that triggers the interruptis preceded by a verification step, and the time delay is not includedin an interval defined by a second, so-called security table TAB_SECwritten into the nonvolatile memory of the medium.

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the present invention willemerge more clearly through the reading of the following descriptiongiven in reference to the appended drawings, in which:

FIG. 1 represents a schematic view of the electronic circuits necessaryto the implementation of the present invention;

FIG. 2A represents the timing diagram of the code sequences necessary tothe implementation of the present invention;

FIG. 2B represents the logical diagram of the code sequencecorresponding to the activation of a branch point;

FIG. 2C represents the code sequence corresponding to the execution ofthe interrupt generated by the computer;

FIG. 2D represents the branch table TAB_DER;

FIG. 3 represents a timing diagram of the interleaving of the codesequences of the application program for executing the orientationinstruction and for executing the interrupt, in an exemplary applicationof the invention;

FIG. 4A represents the security table TAB_SEC;

FIG. 4B represents the modification of the logical diagram of the branchsequence in case of a utilization of a security table conjointly withthe branch table of the invention;

FIG. 5 represents the logical diagram of the program for writing intothe branch table.

DESCRIPTION OF THE PREFERRED EMBODIMENT(S)

The present invention will now be explained with the aid of an examplethat falls within the scope of “chip cards” and more specificallymicroprocessor cards. These cards generally have an integrated circuitwhose general diagram is represented in FIG. 1. This circuit has acentral processing unit (1) connected by an address and data bus to anonvolatile memory, for example of the ROM type (2) containing the mainprogram, a programmable nonvolatile memory of the EEPROM type (3), aworking memory RAM (4), an input-output interface I/0 (5) and a timer(6). The timer can generate an interrupt, thus interrupting the normaloperation of the program run by the central processing unit. Theinterrupt is associated with a vector. The latter is the start addressof the interrupt routine. It is the address of the first instruction ofthe sequence that handles the interruption. A means for inhibiting theinterrupt, which may be integrated with or external to the timer, makesit possible to delay and even cancel the interrupt. Thus, it can behandled later or not at all.

The programmable memory (3) is divided into several parts. A first part(31), called the system area, contains system information that cannot beread from the outside; this part contains, in particular, the values ofthe pointers that make it possible to delimit each of the other parts ofthe memory. A second part (32) is called the data area; it is accessiblefrom the outside and contains mainly user data. A third part (33)contains an orientation table TAB_DER; this table contains elements inidentical formats composed of at least three fields (N°Ref, ΔTi andAdri). A fourth part (34), called the sequence area, contains the codesequences that can be called by the main program using the referencenumbers (N°Ref) of the orientation point and the address (Adri) read inthe table. It must be noted that in a variant of the invention, theorientation table, or one or more code sequences, can be loaded intoworking memory RAM rather than into programmable nonvolatile memory.

The start address, called AD_TAB, of the orientation table TAB_DER isstored in the system area (31). A precise location is provided forcontaining this value. The actual writing of this location effectivelyconstitutes the indication that the table is actually present and thatthe orientation points can be operational.

The ROM (2), which contains, among other things, the main program, isdivided into three parts. The first part (21) performs theinitialization of the program during a power-up. The second part (22)contains the application program. The third part (23) contains the“dormant” code, whose role is explained below.

When the program reaches a branch point or orientation point (220), itexecutes a branch sequence represented in FIG. 2B, which comprises afirst step in which the program checks to see if there is already aninterrupt in progress. If so, the program is aborted, If not, theprogram continues with step 2202, in which it checks to see if anindicator corresponding to the branch point i is active.

If not, the program performs an error control process of the typedescribed in the prior application. If so, the program continues withthe step that searches in the table TAB-DER written into the third part(33) of the EEPROM, for the programming value (ΔTi) of the timercorresponding to the branch i and the jump address (Adrsi).

The next step 2205 allows the timer (6) to be loaded with the time value(ΔTi) provided by the line i of the table TAB_DER. Then, the next stepof the program 2206 allows the timer to be started. In somemicroprocessors, the writing of a new value into the timer causes it tobe activated, and in this case, the two steps 2205 and 2206 arecombined. After this step, the branch sequence jumps, in step 2207, tothe next instruction of the program it was in the process of runningwhen it encountered a branch instruction, or orientation instruction(IOR), indicating a branch point.

When the timer started in step 2206 has counted down the time (ΔTi)supplied by the line i of the table TAB_DER, the timer (6) triggers aninterrupt in the microprocessor (1), which results in the execution ofan interrupt sequence (221; FIG. 2A). This interrupt sequence, shown indetail in FIG. 2C, begins with a step for the possible stacking of thejump context (2210) in the RAM (4). Then the execution of the interruptcontinues with a step (2211) for executing the new code sequencecontained in either the fourth part (34) of the EEPROM (3), or the thirdpart (23) of the ROM, at the address previously stored in step 2204.Next, the interrupt ends with a step (2212) for the possible use of thestacked context to return to the main program, either to the instruction(2212A) following the one executed before the interrupt, for exampleusing an interrupt return instruction RTI, or by executing a jump (forexample, using a jump instruction), as represented by the reference2212B in FIG. 2A.

Thus, it is understood that by recording a table in the EEPROM, aninterrupt sequence in the ROM and a branch sequence in a volatile ornonvolatile memory, it is possible to intervene at any point in theapplication program stored in the ROM, and to modify or addfunctionalities by implementing dormant code parts, or new code partswritten into EEPROM, for example.

The orientation point existed before the part of the program that nowneeds to be modified. This orientation point has its own referencenumber, in this case, “1”.

The table TAB_DER was entered into programmable memory and the entrycorresponding to the reference number “1” was filled in as follows, forexample:

No. of orientation point value of the timer jump address 1 ΔT1 Adr_1

ΔT1 was calculated so as to correspond to the time required to interruptthe execution of the main program at the desired address Adr_2 (FIG. 3).In performing this calculation, the number of instructions needed to“reach” the address Adr_2 and the countdown frequency of the timer aretaken into account.

First, there is a test for the presence of the orientation table. Asstated above, this can amount to testing for a writing of the locationcontaining the start address of the table TAB_DER. Next, there is a testfor the presence of an interrupt i progress in the timer. If the timeris running, the execution of the branch point must be inhibited, andonly the code sequence corresponding to a previous orientation pointwill be executed. If not, the program searches for the values writteninto the second and third elements corresponding to orientation pointnumber 1. The values ΔT1 and Adr_1 are extracted from the first andsecond field of the element, respectively. The data register of thetimer is then loaded with the value ΔT1, and the interrupt vectorassociated with the interrupt invoked by the timer is loaded with thevalue Adr_1. Finally, just before exiting from the sequence of theorientation point, the timer is started and the value stored in its dataregister decreases as a function of time.

The value ΔTi must be determined with great precision; it dependsdirectly on the number of cycles that separate the moments of executionof the instruction that starts the timer and of the first instructionthat should not be executed. If the timer is synchronized with the clockof the central processing unit, it suffices to add up the number ofcycles in each of the instructions that separate the two above-mentionedinstructions. If the timer is not synchronized with the frequency of theCPU, the calculation is tricky and can only be approximate.

If the frequency source for the timer is different from the one thatallows the program to be run, then the process of the invention makes itpossible to execute for example, a security control task. In effect, thevalues programmed into the table TAB_DER make it possible to interruptat a given address, which address is indicated as an additional elementin the table TAB_DER, and once the interrupt is active, the address ofthe interrupted instruction can be compared to the address indicated inthe table. If they are not the same, then it can be concluded that therehas been a disturbance of the frequency source, perhaps due to anattempted fraud, and the program can act in the appropriate manner (byshutting down, for example).

A preferred way to implement the invention is comprised of creating-atable (FIG. 2D) in programmable memory; the first element of this tableis the reference number of the orientation point, the second element isa value for loading into the timer, and the third element is the addressof the code sequence to be executed.

This table (FIG. 2D) has a maximum size of 30 bytes divided into 6 linesof 5 bytes each. The first element of the table comprises one byte,which makes it possible to enter into the ROM code 255 orientationpoints, numbered 1 to 255. The zero value indicates that there are nomore values and that the end of the table has been reached. The secondvalue is expressed in two bytes, which allows 65536 different values forloading into the timer. Finally, the jump address is indicated in twobytes, the conventional value for microprocessors of the chip card type.This address must make it possible to execute code sequences writteninto programmable memory EEPROM as well as the code in ROM (dormantcode).

It may be seen that the sixth line of this table TAB_DER (FIG. 2D) isset at “000,” so in the present case there are only 5 orientation pointsthat are operational: numbers 1, 3, 4 (2 entries) and 6. The orientationpoints 3 and 6 have the same jump address Adr_3, which means that theprogram modification is the same for these two points. Therefore, threebranch sequences are provided. These branch sequences can be stored inthe programmable memory and in a part of the ROM code, which “dormant”code can be executed with the aid of the orientation points.

Another way to manage the orientation table, which allows the programmerto avoid having to provide in memory information corresponding to thesize of the table, is to provide a supplementary field that contains theaddress value of the next element of the orientation table. For furtherdetails, please refer to the patent application mentioned above.

Advantageously, a new code sequence can end with an orientation point,making it possible to reload the timer and therefore to add a new timedelay, as shown in the preceding table for the reference number “4.”This is particularly useful for producing very long time delays thatexceed the capacity of the timer. In this case, the management of aninterrupt timer, which is initialized with a certain start value, isimplemented in the code sequence; this value represents the maximumnumber of time delays to be executed before programming the valuewritten in TAB_DER into the timer. After this last time delay, the partof the code sequence related to the modification of the main program isexecuted.

An exemplary application of the invention is represented in FIG. 3, inwhich an application program written into ROM can contain a certainnumber of polling instructions (IIi), followed by code sequences thatseparate them from the corresponding orientation instruction (IORi), inaccordance with the principle of French patent application No. 96/05454,filed by the Applicant.

These polling instructions (IIi) make it possible to determine whetheror not the corresponding orientation instruction (IORi) is active, andif it is active, when the program reaches the orientation instruction,to branch the program to an orientation or branch point (i) whosereference number for the orientation instruction (IORi) is i.

The execution of the orientation instruction (IORi) triggers severaloperations. First, it triggers the reading of the orientation or branchtable TAB_DER written in the area 33 of the EEPROM, in order todetermine whether, at the address i of this table, the timer value ΔTiand jump address value (Adri) have been filled in, and if these valuesare present, the information corresponding to the timer value ΔTi andjump address value Adri is temporarily stored, for example in the RAM(4). Then the orientation instruction ends with the starting of thetimer 6.

Once the orientation instruction has been executed, the applicationprogram continues to run its sequence in order, reaches the execution ofthe instruction indicated by the address Adr_1 corresponding to theexemplary executable code appearing in Appendix 1, executes theinstruction set of this sequence, then reaches the instruction indicatedby the address Adr_2, for which it has been decided to modify thecorresponding value, used in subsequent operation, of the instruction ofthe sequence of the program, normally recorded in ROM by another value.For this reason, ΔTi is determined so that the interrupt occurs beforethe program executes the instruction of the address (Adr_2) and theinterrupt branches the program to a code sequence at the address Adri.Thus, in the example of the program given in Appendix 1, the value 10will need to be replaced by the value 20 in the multiplication that iscarried out later at the address Adr_3.

This is obtained by the code sequence appearing in Appendix 2. Thus, itis understood that the accumulator B has been loaded with the value 20instead of the value 10, which will change the result of themultiplication without having to modify the program written in ROM

Thus, by writing new code sequences into EEPROM in the area 34, as shownin FIG. 3 in square 341, by writing a branch table TAB_DER into the area33 of the EEPROM (3), and by putting orientation instructions in theoperating system stored in the ROM of the chip card, it is possible tointervene as necessary and to modify all the instructions by choosingthe time delay ΔTi and the intervention address Adri at which the newcode sequence written into one of the memories of the card will belocated.

The start of this program part in Appendix 1 comprises the call to anorientation point, numbered “01.” Instructions then exist. Next, aspecific sequence is described. First, the value of the byte pointed toby X is multiplied by the value 10; the result, expressed in two bytes,is stored in two registers, then the subroutine for writing intoprogrammable memory is executed. The program, being fixed in ROM, is nolonger modifiable, but the value “10” must be changed to “20.” Thefollowing describes how the present invention can solve this problem.

The central processing unit continues running the main program (PP);FIG. 3). At the moment when the microprocessor starts the execution ofthe instruction at the address labelled Adr_2, the data register of thetimer (6), initialized at the branch point with the value ΔTi, reachesthe null value, thus triggering an interrupt (IT; FIG. 3), which allowsthe jump to the address Adri. Therefore, the instruction “LDB #010” isnot executed. The central processing unit is redirected to the addressAdri, where the code sequence appearing in Appendix 2 is located.

This small code sequence described in Appendix 2 makes it possible toload the value “20” into the register B used for the multiplication,then to return to the main program, i.e., to the address adr_3immediately following the instruction that must be modified or notexecuted. The multiplication instruction at this address no longer usesthe value “10” contained in the preceding instruction in the ROM code,but the value “20” contained in the new code sequence.

The following variant of the invention takes security needs intoaccount. For security reasons, it may be advantageous not to be able tostop the execution of a program part with an interrupt. This is thecase, for example, in an authentication involving a cryptographiccalculation and a comparison between received and calculated values.Thus, as long as the secret key is in working memory and thereforevisible through a branch sequence, interrupts must not be allowed. Thisis possible by inhibiting all interrupts, or at least those of thetimer, during the execution of a “sensitive” program.

The inhibition of the interrupts and their reactivation are each carriedout by an instruction that can be interpreted by nearly allmicroprocessors. These instructions generally modify one bit of themicroprocessor's status register which, when it is active, prevents thetriggering of the interrupt, and when it is inactive, allows interrupts.The presence of an interrupt-inhibiting instruction in ROM before asensitive sequence ensures that the sensitive sequence is permanentlyprotected if the reactivation instruction is put in place after thesensitive sequence.

Another method for preventing the triggering of interrupts during theexecution of a sensitive sequence is to test, during the utilization ofthe table TAB_DER, and for each orientation point, the programming valueof the timer. A locked table TAB_SEC is then provided in ROM or inE²PROM, which comprises for each orientation point of the main program apair of values [ΔTmini, ΔTmaxi] defining an interval in which anyprogramming value of the timer is forbidden. Advantageously, the tableTAB_SEC can comprise several pairs [ΔTmini, ΔTmaxi] for the sameorientation point, as shown in FIG. 4A.

The presence of the table TAB_SEC in ROM fixes the sensitive sequences,as before, whereas its presence in E²PROM makes it possible to modifythe sensitive sequence areas until they are locked with a key.

For the orientation points 3 and 5, two time intervals are programmed.

During the utilization of the information in the table TAB_DER, theoperating system tests to see if the value ΔTi to be writtencorresponding to the orientation point i belongs to any intervals[ΔTmini, ΔTmaxi]. If that is the case, a sensitive sequence would beinterrupted, and that being forbidden, the operating system prohibitsthe write operation and returns an error message. If, on the other hand,the value ΔTi corresponding to this orientation point is not containedin the unauthorized time interval, the write operation is carried outand the orientation point becomes operational.

In the variant in which a security table TAB_SEC is used, the branchsequence corresponds to FIG. 4B. This sequence comprises, in addition tothe steps in FIG. 2B, the following steps, added between step 2204 andstep 2205 of FIG. 2B:

a first step 22041, which is comprised of reading the security tableTAB_SEC on the line i to determine the interval [ΔTmini, ΔTmaxi], andverifying, for example, that the initialization value ΔTi of the timeris not included in this interval [ΔTmaxi, ΔTmini]. The opposite logic isalso possible. If the value ΔTi is not included, the process continueswith step 2205. If the value (ΔTi) is included, the process continueswith either step 22043A, which allows the display of an error message,or step 22043B, which executes an instruction that makes it possible toreload the timer with the value (ΔTi) increased by the interval. Thisdefers the triggering of the interrupt by the length of the interval.

This last variant makes it possible to trigger the interrupts, but doesnot make it possible to intervene in sequences of the applicationprogram that must be protected because they are part of protectedsegments.

For the rest, the branch sequence continues in the same way as in FIG.2B.

Finally, the application program or a part of the dormant code caninclude the write program, which can be called, for example by anorientation to a fixed initial address, in order to allow, through theorientation to this write program, the writing of the branch tableTAB_DER in accordance with the sequence described in FIG. 5.

This program starts with a step for receiving an order to write one ormore elements into the table TAB_DER, in which the elements ΔTi and Adrimust be written on the line i of the element in the table. This step isfollowed by a step for testing the write flag ECA of the table in orderto verify whether it is active or inactive. If ECA is active, theprogram continues with an error message in step 61. If ECA is inactive,the program continues with a step 53 for analyzing each element ΔTirelative to the corresponding value in the security table TAB_SEC. Thisstep includes a test 54 for determining whether the value ΔTi fallswithin the interval [ΔTmaxi, ΔTmini]. If so, the program continues instep 22043B with a modification of ΔTi representing the value of theinterval, in order to delay the interrupt so that it does not fallwithin the prohibited sequence. A variant, represented in parallel, iscomprised of sending a message 22043A.

This is represented in step 59 by the operation comprised of replacing(ΔTi) with the value (ΔTi+x), x being the interval (ΔTmaxi−ΔTmini). Inthe case where the ΔT does not fall within the interval, or after amodification of the value ΔTi, the program continues with step 55, inwhich the write flag ECA of the table is set to the active state.

Once this step has been executed, the program continues in step 56 withan update of the branch table and a verification of the write operation.This verification is carried out by means of a test represented in step57. If the test confirms that the write operation is correct, theprogram continues with a test to see if there is another element to bewritten. If not, the program ends with step 62; if so, the program loopsback to step 53.

If the verification test is negative, the program continues with step 60for setting the write flag to the inactive state.

In a variant of the invention, using the table TAB_DER, it is possibleto protect certain code parts without disturbing the capabilities formodifying the other parts.

A third variant is comprised of storing in the table TAB_SEC in ROM thestart and end addresses associated with each of the sensitive sequences.The address values are easily determined and are not the result of acalculation for determining a duration, as above.

For example, a TAB_SEC in which each line represents the start and endaddresses of sensitive sequences:

Start address End Address Adrdeb_1 Adrfin_1 Adrdeb_2 Adrfin_2

Advantageously, the address windows [Adrdeb_i, Adrfin_1] are stored inorder of increasing addresses, which facilitates the reading of thetable. Consequently, the values located in the intervals]Adrfin_i,Adrdeb_i+1[ are address values of the non-sensitive program.

The verification of the interruption of a sensitive sequence is carriedout at the end of the time delay. When the timer reaches the null value,an interrupt is triggered and the current value of the PC is placed inthe stack, then the program is branched to the address defined in thepart of the ROM containing what is commonly called an “interruptvector.” The designer of the program has taken care to initialize thevalue of the vector corresponding to interrupt generated by the end ofthe timer with the start address of the code sequence of the interrupt.Said routine is in ROM, and therefore non-modifiable for securityreasons, so it will always be executed.

At the start of said code sequence of the interrupt, it is verified thatthe value of the PC (Val_PC) stored in the stack (i.e., the address ofthe instruction that the microprocessor would have to execute if therewere no interrupt) is not an address value of a sensitive sequence. Itthe table TAB_SEC does not exist or is empty, the test is not performedand the program executes the new code sequence directly. Otherwise, theprogram of the routine extracts the value Val_PC from the stack andsearches in the table TAB_SEC to see which address values it is locatedbetween.

If the values are of the [Adrdeb_i, Adrfin_i] type, the program has beeninterrupted during a sensitive sequence, and the card can return amessage indicating that its security has been breached and can beinhibited. If the values are of the ]Adrfin_i, Adrdeb_i+1[ type, theprogram has been interrupted during a nonsensitive sequence, and theprogram then executes the new code sequence whose start address wasstored during the processing of the orientation point.

While the preferred forms and embodiments of the invention have beenillustrated and described, it will be apparent to those of ordinaryskill in the art that various changes and modifications may be madewithout deviating from the inventive concept and spirit of the inventionas set forth above, and it is intended by the appended claims to defineall such concepts which come within the full scope and true spirit ofthe invention.

APPENDIX 1 Shown below is an executable code part of a main program,which code was written in a MOTOROLA 6805 assembler: adr_0 LDX #01Loading of the pointer with the number of the orientation point JSRINS_ORT Jump to the orientation point NOP adr_1 LDX #080H Loading of thehexadec- imal value 80 into the pointer X. LDA ,X Loading of the accumu-lator A with the content of the address 80. BEQ V_ZERO Jump if equal tozero to V_ZERO, otherwise next instruction. adr_2 LDB #010d Loading ofthe accumu- lator B with the decimal value 10 adr_3 MUL multiplicationof A by B STA Reg_H Storage of the content of H in the accumulator A.STB Reg_L Storage of the content of L in the accumulator B. JSRWrite_Word V_ZERO JMP Next

APPENDIX 2 Adri LDB #020d JMP adr_3

What is claimed is:
 1. A device for modifying code sequences in a mediumcomprising a central processing unit (1) for executing code sequences, afirst memory (2) containing a program comprising at least one codesequence executable by the central processing unit (1), and a secondprogrammable memory (3), said device comprising: a branch table TAB_DERstored in the second programmable memory, said branch table TAB_DERhaving at least one field containing reference data for a new codesequence stored in one of said memories, said new code sequence beingexecutable at a predetermined address of said program; a set oforientation points distributed in the program, said predeterminedaddress being defined as a predetermined time delay passed from a givenone of said orientation points to reach said predetermined address;branching instructions allowing a deferred branch from a code sequenceof the program to said new code sequence, wherein a decision as to whento perform the branch being determined by counting down saidpredetermined time delay from said given one orientation point untilsaid time has elapsed; and means provided in the new code sequenceallowing, once the new code sequence has been executed, a return to apoint of said code sequence of the program.
 2. The device for modifyingcode sequences according to claim 1, characterized in that the branchinginstructions comprise activatable orientation instructions (IORi)previously stored in the memory containing the code of the program atsaid orientation points, each orientation instruction being associatedwith a reference (i) of the branch table TAB_DER written intoprogrammable memory (3).
 3. The device for modifying code sequencesaccording to claim 2, characterized in that each orientation instruction(IORi) activated triggers the execution of a new code sequencecomprising: means for reading in the table TAB_DER of the programmablememory (2) a time delay ΔTi corresponding to the reference of theorientation instruction, which time delay makes it possible to defer thetriggering of an interrupt that executes a jump to a new code sequencewhose address (Adri) is indicated in the table, in association with thetime delay, means for storing the address (Adri) in a memory of thedevice and means for starting a timer (6) of the device for countingdown the time required for the time delay of the jump.
 4. The device formodifying code sequences according to claim 3, characterized in that itcomprises a second table TAB_SEC stored in the memory of the device andassociating with each branch point (i) a time interval [ΔTmini; ΔTmaxi]associated with the time delay ΔTi prior to the execution of a new codesequence, and means for verifying that the time delay is authorized bythe associated time interval provided by this table.
 5. The device formodifying code sequences according to claim 4, characterized in that itcomprises means that allow the time delay ΔTi to be shifted by the valueof the time interval [ΔTmini; ΔTmaxi].
 6. The device for modifying codesequences according to claim 4, characterized in that it comprises meansfor triggering an error message when the time delay ΔTi is within thetime interval.
 7. The device for modifying code sequences according toclaim 3, characterized in that it comprises, following the end of thetime delay (ΔTi) when the timer(6) reaches the null value, means fortriggering an interrupt, means for storing the current value of aprogram counter register PC in a stack, then means for branching theprogram to the address defined in the part of the ROM that containsinterrupt vectors, which supply the start address of the code sequenceof the interrupt, means for verifying that the value Val_PC of theprogram counter register PC stored in the stack is not an address valueof a sensitive sequence contained in a table TAB_SEC, and means formodifying the execution of the operations.
 8. The device for modifyingcode sequences according to claim 7, characterized in that either theverification means sense that the value of the program counter registeris contained by TAB_SEC in the interval [Adrdeb-i, Adrfin_1)corresponding to an interruption of the program during a sensitivesequence and the means for modifying the execution of the operations ofthe card return a message indicating that its security has been breachedand is inhibited, or the verification means sense that the value of theprogram counter register Val_PC is contained in the interval ]Adrfin_i,Adrdeb_i+1[ corresponding to an interruption of the program during anonsensitive sequence and the means for modifying the execution of theoperations then authorize the program to execute the new code sequencewhose start address was stored during the execution of the orientationinstruction (IORi).
 9. The device for modifying code sequences accordingto claim 1, characterized in that it comprises a timer (6) and a firstand a second frequency source, the first frequency source beingassociated with the timer (6) and being different from the secondfrequency source that allows the central processing unit (1) to run theprogram, a time delay (ΔTi) programmed into the branch table TAB_DER,the value of the time delay (ΔTi) being calculated so as to allow theprogram to be interrupted at a given address, and the table TAB_DERcomprises for each value of the time delay an additional elementcontaining this given address and means for comparing the address of theinstruction interrupted by the interrupt to the one indicated in thetable, and for triggering an alarm.
 10. The device for modifying codesequences according to claim 9, characterized in that it comprises alarmtriggering means for inhibiting the medium and for indicating anattempted fraud through a write operation in the first memory.
 11. Thedevice for modifying code sequences according to claim 1, comprising atimer (6) for establishing a time delay value (Δti) and characterized inthat each new code sequence ends with an orientation instruction forreloading the timer (6) with a new time delay value (Δti).
 12. Thedevice for modifying code sequences according to claim 3, comprising atimer (6) for establishing a time delay value (Δti) and characterized inthat each new code sequence ends with an orientation instruction forreloading the timer (6) with a new time delay value (Δti).
 13. A methodfor modifying code sequences in a medium comprising a central processingunit (1) capable of executing code sequences, a first memory (2)containing a program comprising at least one code sequence executable bythe central processing unit (1), and a second programmable memory (3),said method comprising: storing a branch table TAB_DER in the secondprogrammable memory, containing at least one field containing referencedata for a new code sequence stored in one of said memories, said newcode sequence being executable at a predetermined address of saidprogram; distributing a set of orientation points in said program, saidpredetermined address being defined as a predetermined time delay passedfrom a given one of said orientation points to reach said predeterminedaddress; providing branching means in said medium, which performs abranch from a code sequence of said program to said new code sequence,wherein a decision as to when to perform the branch being determined bycounting down said predetermined time delay from said given oneorientation point until said time as elapsed; and providing return meansin the new code sequence for performing, once the new code sequence hasbeen executed, a return to said code sequence of the program.
 14. Themethod according to claim 13, wherein the step of performing the branchis preceded by a verification step comprised of verifying that saidpredetermined time is not included in an interval defined by a second,security table TAB_SEC written into said first or second memory of themedium.
 15. A device for modifying code sequences in a medium comprisinga central processing unit (1) for executing code sequences, a firstmemory (2) containing a program comprising at least one code sequenceexecutable by the central processing unit (1), and a second programmablememory (3), said device comprising: a branch table TAB_DER contained inthe second programmable memory, said branch table TAB_DER having atleast one field containing reference data for a new code sequence storedin one of said memories; branching instructions allowing a deferredbranch from a code sequence of the program to said new code sequence;and means provided in the new code sequence allowing, once the new codesequence has been executed, a return to a point of said code sequence ofthe program, wherein branching instructions comprise activatableorientation instructions (IORi) previously stored in the memorycontaining the code of the program, each orientation instruction beingassociated with a reference (i) of the branch table TAB_DER written intoprogrammable memory (3); and, wherein each orientation instruction(IORi) activated triggers the execution of a new code sequencecomprising: means for reading in the table TAB_DER of the programmablememory (2) a time delay ΔTi corresponding to the reference of theorientation instruction, which time delay makes it possible to defer thetriggering of an interrupt that executes a jump to a new code sequencewhose address (Adri) is indicated in the table, in association with thetime delay, means for storing the address (Adri) in a memory of thedevice and means for starting a timer (6) of the device for countingdown the time required for the time delay of the jump.
 16. The devicefor modifying code sequences according to claim 15, characterized inthat it comprises a second table TAB_SEC stored in the memory of thedevice and associating with each branch point (i) a time interval[ΔTmini; ΔTmaxi] associated with the time delay ΔTi prior to theexecution of a new code sequence, and means for verifying that the timedelay is authorized by the associated time interval provided by saidsecond this table.
 17. The device for modifying cod sequences accordingto claim 16, characterized in that it comprises means that allow thetime delay ΔTi to be shifted by the value of the time interval [ΔTmini;ΔTmaxi].
 18. The device for modifying code sequences according to claim17, characterized in that it comprises means for triggering an errormessage when time delay ΔTi is within the time interval.
 19. The devicefor modifying code sequences according to claim 15, characterized inthat it comprises, following the end of the time delay (ΔTi) when thetimer (6) reaches the null value, means for triggering an interrupt,means for storing the current value of a program counter register PC ina stack, then means for branching the program to the address defined inthe part of the ROM that contains interrupt vectors, which supply thestart address of the code sequence of the interrupt, means for verifyingthat the value Val_PC of the program counter register PC stored in thestack is not an address value of a sensitive sequence contained in atable TAB_SEC, and means for modifying the execution of the operations.20. The device for modifying code sequences according to claim 19,characterized in that either the verification means sense that the valueof the program counter register is contained by TAB_SEC in the interval[Adrdeb-i, Adrfin_1) corresponding to an interruption of the programduring a sensitive sequence and the means for modifying the execution ofthe operations of the card return a message indicating that its securityhas been breached and is inhibited, or the verification means sense thatthe value of the program counter register Val_PC is contained in theinterval ]Adrfin_i, Adrdeb_i+1[ corresponding to an interruption of theprogram during a nonsensitive sequence and the means for modifying theexecution of the operations then authorize the program to execute thenew code sequence whose start address was stored during the execution ofthe orientation instruction (IORi).
 21. The device for modifying codesequences according to claim 15, comprising a timer (6) for establishinga time delay value (Δti) and characterized in that each new codesequence ends with an orientation instruction for reloading the timer(6) with a new time delay value (Δti).
 22. A device for modifying codesequences in a medium comprising a central processing unit (1) forexecuting code sequences, a first memory (2) containing a programcomprising at least one code sequence executable by the centralprocessing unit (1), and a second programmable memory (3), said devicecomprising: a branch table TAB_DER contained in the second programmablememory, said branch table TAB_DER having at least one field containingreference data for a new code sequence stored in one of said memories;branching instructions allowing a deferred branch from a code sequenceof the program to said new code sequence; means provided in the new codesequence allowing, once the new code sequence has been executed, areturn to a point of said code sequence of the program; a timer (6) anda first and a second frequency source, the first frequency source beingassociated with the timer (6) and being different from the secondfrequency source that allows the central processing unit (1) to run theprogram; and a time delay (ΔTi) programmed into the branch tableTAB_DER, wherein the value of the time delay (ΔTi) being calculated soas to allow the program to be interrupted at a given address, and thetable TAB_DER comprises for each value of the time delay an additionalelement containing the given address and means for comparing the addressof the instruction interrupted by the interrupt to the one indicated inthe table, and for triggering an alarm.
 23. The device for modifyingcode sequences according to claim 22, characterized in that it comprisesalarm triggering means for inhibiting the medium and for indicating anattempted fraud through a write operation in the first memory.